os/hosts/cube/nextcloud.nix

{ self, pkgs, config, lib, ... }:

let
  notifyPushPort = 7867;
in
{
  imports = [
    ./nextcloud-apps.nix
  ];

  age.secrets.nextcloud_db_pass = {
    owner = "nextcloud";
    group = "nextcloud";
    file = "${self}/secrets/cube_nextcloud_db_pass.age";
  };

  age.secrets.nextcloud_admin_pass = {
    owner = "nextcloud";
    group = "nextcloud";
    file = "${self}/secrets/cube_nextcloud_admin_pass.age";
  };

  # HTTP
  services.nginx = {
    enable = true;
    recommendedGzipSettings = true;
    recommendedOptimisation = true;
    recommendedProxySettings = true;
    recommendedTlsSettings = true;
    sslCiphers = "AES256+EECDH:AES256+EDH:!aNULL";
    virtualHosts."data.gssws.de" = {
      enableACME = true;
      forceSSL = true;

      locations."^~ /push/" = {
        proxyPass = "http://127.0.0.1:${toString notifyPushPort}";
        proxyWebsockets = true;
      };
    };
  };

  # DATABASES
  services.postgresql = {
    enable = true;
    package = pkgs.postgresql_11;

    settings = {
      max_connections = "200";
    };

    ensureDatabases = [ "nextcloud" ];
    ensureUsers = [
      {
        name = "nextcloud";
        ensurePermissions."DATABASE nextcloud" = "ALL PRIVILEGES";
      }
    ];
  };

  # REDIS
  services.redis.servers = {
    "nextcloud".enable = true;
  };

  users.groups."redis-nextcloud".members = [ "nextcloud" ];

  # Collabora Code server
  virtualisation.oci-containers.containers."nextcloud-collabora-code" = {
    image = "collabora/code";
    autoStart = true;
    ports = [ "127.0.0.1:9980:9980" ];
    environment.domain = "data\\.gssws\\.de";
    extraOptions = [ "--cap-add" "MKNOD" ];
  };

  services.nginx.virtualHosts."office.gssws.de" =
    let
      proxyPass = "https://127.0.0.1:9980";
      extraConfig = "proxy_ssl_verify off;";
    in
    {
      enableACME = true;
      forceSSL = true;

      locations."^~ /browser" = {
        inherit proxyPass extraConfig;
      };
      locations."^~ /hosting/discovery" = {
        inherit proxyPass extraConfig;
      };
      locations."^~ /hosting/capabilities" = {
        inherit proxyPass extraConfig;
      };
      locations."~ ^/cool/(.*)/ws''$" = {
        inherit proxyPass extraConfig;
        proxyWebsockets = true;
      };
      locations."~ ^/(c|l)ool" = {
        inherit proxyPass extraConfig;
      };
      locations."^~ /cool/adminws" = {
        inherit proxyPass extraConfig;
        proxyWebsockets = true;
      };
    };

  # NEXTCLOUD
  systemd.services."nextcloud-setup" = {
    requires = [ "postgresql.service" ];
    after = [ "postgresql.service" ];
  };
  services.nextcloud = {
    enable = true;
    package = pkgs.nextcloud25;
    hostName = "data.gssws.de";
    https = true;
    datadir = "/mnt/internal/nextcloud";

    caching.apcu = true;
    caching.redis = true;

    phpPackage = lib.mkForce pkgs.php81;

    poolSettings = {
      "pm" = "dynamic";
      "pm.max_children" = "128";
      "pm.start_servers" = "64";
      "pm.min_spare_servers" = "32";
      "pm.max_spare_servers" = "76";
      "pm.max_requests" = "500";
    };

    phpOptions = {
      short_open_tag = "Off";
      expose_php = "Off";
      error_reporting = "E_ALL & ~E_DEPRECATED & ~E_STRICT";
      display_errors = "stderr";
      "opcache.enable_cli" = "1";
      "opcache.interned_strings_buffer" = "32";
      "opcache.max_accelerated_files" = "100000";
      "opcache.memory_consumption" = "256";
      "opcache.revalidate_freq" = "1";
      "opcache.fast_shutdown" = "1";
      "openssl.cafile" = "/etc/ssl/certs/ca-certificates.crt";
      catch_workers_output = "yes";
    };

    config = {
      overwriteProtocol = "https";

      dbtype = "pgsql";
      dbuser = "nextcloud";
      dbhost = "/run/postgresql";
      dbname = "nextcloud";
      dbpassFile = "/run/agenix/nextcloud_db_pass";
      adminpassFile = "/run/agenix/nextcloud_admin_pass";
      adminuser = "admin";

      trustedProxies = [ "80.244.242.2" ];
      defaultPhoneRegion = "DE";
    };
  };
}